Use the search language
The searches you have run to this point have retrieved events from your Splunk index. You were limited to asking questions that could only be answered by the number of events returned.
For example, in the last topic, you ran this search to see how many simulation games were purchased:
sourcetype=access_* status=200 action=purchase categoryId=simulation
To find this number for the days of the previous week, you have to run it against the data for each day of that week. To see which products are more popular than the other, you have to run the search for each of the eight
categoryId values and compare the results.
Learn with search assistant
In the "Start searching" topic, you were introduced to the search assistant. This section explains in more detail one of the ways you can use the search assistant to learn about the Splunk Enterprise search processing language and how to construct searches.
1. Return to the search dashboard and restrict your search to Yesterday:
sourcetype=access_* status=200 action=purchase
As you type in the search bar, search assistant opens with syntax and usage information for the search command (on the right side). If search assistant doesn't open, click the down arrow under the left side of the search bar.
You've seen before that search assistant displays typeahead for keywords that you type into the search bar. It also explains briefly how to search.
2. Type a pipe character, " | ", into the search bar.
The pipe indicates to Splunk that you're about to use a command, and that you want to use the results of the search to the left of the pipe as the input to this command. You can pass the results of one command into another command in a series, or pipeline, of search commands.
You want Splunk to give you the most popular items bought at the online store.
3. Under common next commands, click top.
Splunk Enterprise appends the
top command to your search string.
According to search assistant's description and usage examples, the top command "displays the most common values of a field."
4. Either click the
categoryId field in the list or type it into the search bar to complete your search:
sourcetype=access_* status=200 action=purchase | top categoryId
This populates the Statistics tab.
View reports in the Statistics tab
The results of a search are reports. The top command returns a tabulated report for the most common values of
categoryIdd. Because top is a transforming command, this report appears in the Statistics tab.
You see that strategy games are the most popular item in the online store.
The top command also returns two new fields:
count is the number of times each value of the field occurs, and
percent is how large that count is compared to the total count. Read more about the top command in the Search reference manual.
View and format reports in the Visualization tab
View the report in the Visualization tab. By default, the Visualizations tab opens with a Column Chart.
If you click on the visualization type selector, you can see that Column, Bar, and Pie charts are recommended for this data set. Select Pie chart:
Now, you report should look like this:
You can turn on drilldown to delve deeper into the details of the information presented to you in the tables and charts that result from your search.
If you mouse over each slice of the pie, you will see the count and percentage values for each categoryId. Click on a slice, such as "Strategy".
This runs a new search, specifically for categoryId=strategy.
sourcetype=access_* status=200 action=purchase categoryId=strategy
Read more about drilldown actions in the Splunk Data Visualizations Manual.
Go to the next topic to learn about correlating events with subsearches.
Use fields to search
Use a subsearch
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1.13, 6.1.14